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Case Study: 1 


VanArsdel, Ltd 


Overview 

VanArsdel, Ltd. builds skyscrapers, subways, and bridges. VanArsdel is a leader in using 
technology to do construction better. 

Overview 

VanArsdel employees are able to use their own mobile devices for work activities because the 
company recognizes that this usage enables employee productivity. Employees also access 
Software as a Service (SaaS) applications, including DocuSign, Dropbox, and Citrix. The 
company continues to evaluate and adopt more SaaS applications for its business. VanArsdel 
uses Azure Active Directory (AD) to authenticate its employees, as well as Multi-Factor 
Authentication (MFA). Management enjoys the ease with which MFA can be enabled and 
disabled for employees who use cloud-based services. VanArsdel's on-premises directory 
contains a single forest. 

Helpdesk: 

VanArsdel creates a helpdesk group to assist its employees. The company sends email 
messages to all its employees about the helpdesk group and how to contact it. Configuring 
employee access for SaaS applications is often a time-consuming task. It is not always 
obvious to the helpdesk group which users should be given access to which SaaS 
applications. The helpdesk group must respond to many phone calls and email messages to 
solve this problem, which takes up valuable time. The helpdesk group is unable to meet the 
needs of VanArsdel's employees. 

However, many employees do not work with the helpdesk group to solve their access 
problems. Instead, these employees contact their co-workers or managers to find someone 
who can help them. Also, new employees are not always told to contact the helpdesk group 
for access problems. Some employees report that they cannot see all the applications in the 
Access Panel that they have access to. Some employees report that they must re-enter their 
passwords when they access cloud applications, even though they have already authenticated. 
Bring your own device (BYOD): 

VanArsdel wants to continue to support users and their mobile and personal devices, but the 
company is concerned about how to protect corporate assets that are stored on these devices. 
The company does not have a strategy to ensure that its data is removed from the devices 
when employees leave the company. 

Customer Support 

VanArsdel wants a mobile app for customer profile registration and feedback. The company 
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would like to 
profile system 


keep track of all its previous, current, and future customers worldwide. A 
using third-party authentication is required as well as feedback and support 


sections for the mobile app. 


Migration: 


VanArsdel plans to migrate several virtual machine (VM) workloads into Azure. They also 
plan to extend their on-premises Active Directory into Azure for mobile app authentication. 
Business Requirements 

Hybrid Solution: 


Mobile App: 


eA single account and credentials for both on-premises and cloud applications 
eCertain applications that are hosted both in Azure and on-site must be 
accessible to both VanArsdel employees and partners 

eThe service level agreement (SLA) for the solution requires an uptime of 
99.9% 

eThe partners all use Hotmail.com email addresses 


VanArsdel requires a mobile app for project managers on construction job sites. The mobile 


app has the following requirements: 


Security: 


eThe app must display partner information. 

eThe app must alert project managers when changes to the partner information 
occur. 

eThe app must display project information including an image gallery to view 
pictures of construction projects. 

eProject managers must be able to access the information remotely and 
securely. 


eVanArsdel must control access to its resources to ensure sensitive services 
and information are accessible only by authorized users and/or managed 
devices. 

eEmployees must be able to securely share data, based on corporate policies, 
with other VanArsdel employees and with partners who are located on 
construction job sites. 

eVanArsdel management does NOT want to create and manage user accounts 
for partners. 


Technical Requirements 


Architecture: 


Data Storage: 


eVanArsdel requires a non-centralized stateless architecture fonts data and 
services where application, data, and computing power are at the logical 
extremes of the network. 

eVanArsdel requires separation of CPU storage and SQL services 
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VanArsdel needs a solution to reduce the number of operations on the contractor information 
table. Currently, data transfer rates are excessive, and queue length for read/write operations 
affects performance. 
eA mobile service that is used to access contractor information must have 
automatically scalable, structured storage 
elmages must be stored in an automatically scalable, unstructured form. 
Mobile Apps: 
eVanArsdel mobile app must authenticate employees to the company's Active 
Directory. 
eEvent-triggered alerts must be pushed to mobile apps by using a custom 
Node.js script. 
eThe customer support app should use an identity provider that is configured 
by using the Access Control Service for current profile registration and 
authentication. 
eThe customer support team will adopt future identity providers that are 
configured through Access Control Service. 
Security: 
eActive Directory Federated Server (AD FS) will be used to extend AD into 
Azure. 
eHelpdesk administrators must have access to only the groups of Azure 
resources they are responsible for. Azure administration will be performed by 
a separate group. 
eIT administrative overhead must be minimized. 
ePermissions must be assigned by using Role Based Access Control (RBAC). 
eLine of business applications must be accessed securely. 


Question: 1 


You need to assign permissions for the Virtual Machine (VM) workloads that you migrate to 
Azure. 

The solution must use the principal of least privileges. 

What should you do? 


A. Create all VMs in the cloud service named Groupl and then connect to the Azure 
subscription. Run the following Windows PowerShell command: New- 
AzureRoleAssignment -Mail userl@vanarsdelltd.com -RoleDefinitionName Contributor - 
ResourceGroupName group 1 

B. In the Azure portal, select an individual virtual machine and add an owner. 

C. In the Azure portal, assign read permission to the user at the subscription level. 

D. Create each VM in a separate cloud service and then connect to the Azure subscription. 
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Run the following Windows PowerShell command:Get-AzureVM | New- 
AzureRoleAssignment -Mail user @vanarsdelltd.com -RoleDefinitionName Contributor 


Answer: A 


Explanation: 

* Scenario: Permissions must be assigned by using Role Based Access Control (RBAC). 

* Role-Based access control (RBAC) in the Azure Portal and Azure Resource Management 
API allows you to manage access to your subscription at a fine-grained level. With this 
feature, you can grant access for Active Directory users, groups, or service principals by 
assigning some roles to them at a particular scope. 

Create a role assignment 

Use New-AzureRoleAssignment to create a role assignment. 

Example: This will create a role assignment for a group at a resource group level. 

PS C:\> New-AzureRoleAssignment -ObjectID <group object ID> -RoleDefinitionName 
Reader -ResourceGroupName group1 

References: 
https://azure.microsoft.com/en-gb/documentation/articles/role-based-access-control- 
powershell/ 


Question: 2 


DRAG DROP 
You need to recommend data storage mechanisms for the solution. 
What should you recommend? To answer, drag the appropriate data storage mechanism to the 
correct information type. Each data storage mechanism may be used once, more than once, or 
not at all. You may need to drag the split bar between panes or scroll to view content. 

Data Storage Mechanisms Answer Area 


Table storage . ‘ 
g | Information Type Data Storage Mechanism 
Blob storage 


Queue storage ae 
Project images Data Storage Mechnism 


MySQL 


Answer: 
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Data Storage Mechanisms Answer Area 


Table storage : 
- Information Type Data Storage Mechanism 
Blob storage 
s Contractor information Table storage 
Queue storage o = 
Project images ob storage 


MySQL 


* Use Table storage for Contractor information 

* Use Blob for Project Images 

* Scenario: VanArsdel needs a solution to reduce the number of operations on the contractor 
information table. Currently, data transfer rates are excessive, and queue length for read/write 
operations affects performance. 

/ A mobile service that is used to access contractor information must have automatically 
scalable, structured storage 

/ Images must be stored in an automatically scalable, unstructured form. 

Note: Blob is an acronym for Binary Large object. Basically Blob is a sequence of bytes — 
just what an application needs. Blob can hold audio, video, email messages, archived files, 
zip files or a word processing document in a very general way. 

References: 
http://www.thewindowsclub.com/understanding-blobqueuetable-storage-windows-azure 


Question: 3 


You need to design the system that alerts project managers to data changes in the contractor 
information app. 
Which service should you use? 


A. Azure Mobile Service 

B. Azure Service Bus Message Queueing 
C. Azure Queue Messaging 

D. Azure Notification Hub 


Answer: C 
Explanation: 
* Scenario: 
/ Mobile Apps: Event-triggered alerts must be pushed to mobile apps by using a custom 
Node.js script. 


/ The service level agreement (SLA) for the solution requires an uptime of 99.9% 
* If you are already using Azure Storage Blobs or Tables and you start using queues, you are 
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guaranteed 99.9% availability. If you use Blobs or Tables with Service Bus queues, you will 
have lower availability. 

Note: Microsoft Azure supports two types of queue mechanisms: Azure Queues and Service 
Bus Queues. 

/ Azure Queues, which are part of the Azure storage infrastructure, feature a simple REST- 
based Get/Put/Peek interface, providing reliable, persistent messaging within and between 
services. 

/ Service Bus queues are part of a broader Azure messaging infrastructure that supports 
queuing as well as publish/subscribe, Web service remoting, and integration patterns. 
References: 

https://msdn.microsoft.com/en-us/library/azure/hh767287.aspx 


Question: 4 


You need to recommend a solution that allows partners to authenticate. 
Which solution should you recommend? 


A. Configure the federation provider to trust social identity providers. 

B. Configure the federation provider to use the Azure Access Control service. 

C. Create a new directory in Azure Active Directory and create a user account for the partner. 
D. Create an account on the VanArsdel domain for the partner and send an email message 
that contains the password to the partner. 


Answer: B 


Explanation: 

* Scenario: The partners all use Hotmail.com email addresses. 

* In Microsoft Azure Active Directory Access Control (also known as Access Control 
Service or ACS), an identity provider is a service that authenticates user or client identities 
and issues security tokens that ACS consumes. 

The ACS Management Portal provides built-in support for configuring Windows Live ID as 
an ACS Identity Provider. 

Incorrect: 

Not C, not D: Scenario: VanArsdel management does NOT want to create and manage user 
accounts for partners. 

References: 


Question: 5 


HOTSPOT 
You need to design the contractor information app. 
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What should you recommend? To answer, select the appropriate options in the answer area. 
Answer Area 


You must authenticate employees to the contractor information app. v 


Azure Password Sync 
Azure Mobile Services 
Azure Active Directory 
Azure Active Directory Sync 


You must synchronize data with the contractor information app. 


Azure Password Sync 
Azure Mobile Services 
Azure Active Directory 
Azure Active Directory Sync 


Answer: 


Answer Area 


You must authenticate employees to the contractor information app. = 


Azure Password Sync 

Azure Mobile Services 

Azure Active Directory 
Active Director 


You must synchronize data with the contractor information app. 


Azure Active Directory Sync 


/ They also plan to extend their on-premises Active Directory into Azure for mobile app 
authentication 

/ VanArsdel mobile app must authenticate employees to the company's Active Directory. 
References: 
http://azure.microsoft.com/en-gb/documentation/articles/mobile-services-ios-get-started- 
offline-data/ 


Question: 6 


You are designing a plan to deploy a new application to Azure. 
The solution must provide a single sign-on experience for users. 
You need to recommend an authentication type. 

Which authentication type should you recommend? 
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A. SAML credential tokens 

B. Azure managed access keys 
C. Windows Authentication 
D. MS-CHAP 


Answer: A 


Explanation: 

A Microsoft cloud service administrator who wants to provide their Azure Active Directory 
(AD) users with sign-on validation can use a SAML 2.0 compliant SP-Lite profile based 
Identity Provider as their preferred Security Token Service (STS) / identity provider. This is 
useful where the solution implementer already has a user directory and password store on- 
premises that can be accessed using SAML 2.0. This existing user directory can be used for 
sign-on to Office 365 and other Azure AD-secured resources. 

References: 
https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx?f=255&MSPPError=- 
2147217396 


Question: 7 


You need to prepare the implementation of data storage for the contractor information app. 
What should you? 


A. Create a storage account and implement multiple data partitions. 

B. Create a Cloud Service and a Mobile Service. Implement Entity Group transactions. 

C. Create a Cloud Service and a Deployment group. Implement Entity Group transactions. 
D. Create a Deployment group and a Mobile Service. Implement multiple data partitions. 


Answer: B 


Explanation: 

* Scenario: 

/ VanArsdel needs a solution to reduce the number of operations on the contractor 
information table. Currently, data transfer rates are excessive, and queue length for read/write 
operations affects performance. 

/ A mobile service that is used to access contractor information must have automatically 
scalable, structured storage 

* The basic unit of deployment and scale in Azure is the Cloud Service. 

References: 

https://msdn.microsoft.com/en-us/library/azure/dd894038.aspx 


https://www.certkillers.net 


Questions & Answers PDF Page 10 


Question: 8 


You need to ensure that users do not need to re-enter their passwords after they authenticate 
to cloud applications for the first time. 
What should you do? 


A. Enable Microsoft Account authentication. 

B. Set up a virtual private network (VPN) connection between the VanArsdel premises and 
the Azure datacenter. Set up a Windows Active Directory domain controller in Azure VM. 
Implement Integrated Windows authentication. 

C. Deploy ExpressRoute. 

D. Configure Azure Active Directory Sync to use single sign-on (SSO). 


Answer: D 


Explanation: 

Single sign-on (SSO) is a property of access control of multiple related, but independent 
software systems. With this property a user logs in once and gains access to all systems 
without being prompted to log in again at each of them. 

References: 

http://en.wikipedia.org/wiki/Single_ sign-on 
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